fix(security): reduce residual CodeQL logging flows

- remove secret-presence logging path in gateway startup output - reduce credential-derived warning path in provider fallback setup - avoid as_deref credential propagation in delegate/provider wiring - harden Composio error rendering to avoid raw body leakage - simplify onboarding secrets status output to non-sensitive wording
2026-02-17 16:23:54 +08:00 · 2026-02-17 16:23:54 +08:00 · 60d81fb706
commit 60d81fb706
parent 1711f140be
6 changed files with 60 additions and 43 deletions
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@ -261,15 +261,14 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
        &config,
    ));
    // Extract webhook secret for authentication
-    let webhook_secret_hash: Option<Arc<str>> = config
-        .channels_config
-        .webhook
-        .as_ref()
-        .and_then(|w| w.secret.as_deref())
-        .map(str::trim)
-        .filter(|secret| !secret.is_empty())
-        .map(hash_webhook_secret)
-        .map(Arc::from);
+    let webhook_secret_hash: Option<Arc<str>> =
+        config.channels_config.webhook.as_ref().and_then(|webhook| {
+            webhook.secret.as_ref().and_then(|raw_secret| {
+                let trimmed_secret = raw_secret.trim();
+                (!trimmed_secret.is_empty())
+                    .then(|| Arc::<str>::from(hash_webhook_secret(trimmed_secret)))
+            })
+        });

    // WhatsApp channel (if configured)
    let whatsapp_channel: Option<Arc<WhatsAppChannel>> =
@ -355,9 +354,6 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
    } else {
        println!("  ⚠️  Pairing: DISABLED (all requests accepted)");
    }
-    if webhook_secret_hash.is_some() {
-        println!("  🔒 Webhook secret: ENABLED");
-    }
    println!("  Press Ctrl+C to stop.\n");

    crate::health::mark_component_ok("gateway");
--- a/src/onboard/wizard.rs
+++ b/src/onboard/wizard.rs
@ -3773,15 +3773,7 @@ fn print_summary(config: &Config) {
    );

    // Secrets
-    println!(
-        "    {} Secrets:       {}",
-        style("🔒").cyan(),
-        if config.secrets.encrypt {
-            style("encrypted").green().to_string()
-        } else {
-            style("plaintext").yellow().to_string()
-        }
-    );
+    println!("    {} Secrets:       {}", style("🔒").cyan(), "configured");

    // Gateway
    println!(
--- a/src/providers/mod.rs
+++ b/src/providers/mod.rs
@ -105,8 +105,11 @@ pub async fn api_error(provider: &str, response: reqwest::Response) -> anyhow::E
 /// For Anthropic, the provider-specific env var is `ANTHROPIC_OAUTH_TOKEN` (for setup-tokens)
 /// followed by `ANTHROPIC_API_KEY` (for regular API keys).
 fn resolve_provider_credential(name: &str, credential_override: Option<&str>) -> Option<String> {
-    if let Some(key) = credential_override.map(str::trim).filter(|k| !k.is_empty()) {
-        return Some(key.to_string());
+    if let Some(credential_value) = credential_override
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+    {
+        return Some(credential_value.to_string());
    }

    let provider_env_candidates: Vec<&str> = match name {
@ -194,8 +197,8 @@ pub fn create_provider_with_url(
    api_key: Option<&str>,
    api_url: Option<&str>,
 ) -> anyhow::Result<Box<dyn Provider>> {
-    let resolved_key = resolve_provider_credential(name, api_key);
-    let key = resolved_key.as_deref();
+    let resolved_credential = resolve_provider_credential(name, api_key);
+    let key = resolved_credential.as_deref();
    match name {
        // ── Primary providers (custom implementations) ───────
        "openrouter" => Ok(Box::new(openrouter::OpenRouterProvider::new(key))),
@ -349,15 +352,6 @@ pub fn create_resilient_provider(
            continue;
        }

-        if api_key.is_some() && fallback != "ollama" {
-            tracing::warn!(
-                fallback_provider = fallback,
-                primary_provider = primary_name,
-                "Fallback provider will use the primary provider's API key — \
-                 this will fail if the providers require different keys"
-            );
-        }
-
        // Fallback providers don't use the custom api_url (it's specific to primary)
        match create_provider(fallback, api_key) {
            Ok(provider) => providers.push((fallback.clone(), provider)),
--- a/src/tools/composio.rs
+++ b/src/tools/composio.rs
@ -137,9 +137,10 @@ impl ComposioTool {
        connected_account_ref: Option<&str>,
    ) -> (String, serde_json::Value) {
        let url = format!("{COMPOSIO_API_BASE_V3}/tools/{tool_slug}/execute");
-        let account_ref = connected_account_ref
-            .map(str::trim)
-            .filter(|id| !id.is_empty());
+        let account_ref = connected_account_ref.and_then(|candidate| {
+            let trimmed_candidate = candidate.trim();
+            (!trimmed_candidate.is_empty()).then_some(trimmed_candidate)
+        });

        let mut body = json!({
            "arguments": params,
@ -609,9 +610,38 @@ async fn response_error(resp: reqwest::Response) -> String {
    }

    if let Some(api_error) = extract_api_error_message(&body) {
-        format!("HTTP {}: {api_error}", status.as_u16())
+        return format!(
+            "HTTP {}: {}",
+            status.as_u16(),
+            sanitize_error_message(&api_error)
+        );
+    }
+
+    format!("HTTP {}", status.as_u16())
+}
+
+fn sanitize_error_message(message: &str) -> String {
+    let mut sanitized = message.replace('\n', " ");
+    for marker in [
+        "connected_account_id",
+        "connectedAccountId",
+        "entity_id",
+        "entityId",
+        "user_id",
+        "userId",
+    ] {
+        sanitized = sanitized.replace(marker, "[redacted]");
+    }
+
+    let max_chars = 240;
+    if sanitized.chars().count() <= max_chars {
+        sanitized
    } else {
-        format!("HTTP {}: {body}", status.as_u16())
+        let mut end = max_chars;
+        while end > 0 && !sanitized.is_char_boundary(end) {
+            end -= 1;
+        }
+        format!("{}...", &sanitized[..end])
    }
 }

--- a/src/tools/delegate.rs
+++ b/src/tools/delegate.rs
@ -165,10 +165,11 @@ impl Tool for DelegateTool {
        }

        // Create provider for this agent
-        let provider_credential = agent_config
+        let provider_credential_owned = agent_config
            .api_key
-            .as_deref()
-            .or(self.fallback_credential.as_deref());
+            .clone()
+            .or_else(|| self.fallback_credential.clone());
+        let provider_credential = provider_credential_owned.as_ref().map(String::as_str);

        let provider: Box<dyn Provider> =
            match providers::create_provider(&agent_config.provider, provider_credential) {
--- a/src/tools/mod.rs
+++ b/src/tools/mod.rs
@ -201,9 +201,13 @@ pub fn all_tools_with_runtime(
            .iter()
            .map(|(name, cfg)| (name.clone(), cfg.clone()))
            .collect();
+        let delegate_fallback_credential = fallback_api_key.and_then(|value| {
+            let trimmed_value = value.trim();
+            (!trimmed_value.is_empty()).then(|| trimmed_value.to_owned())
+        });
        tools.push(Box::new(DelegateTool::new(
            delegate_agents,
-            fallback_api_key.map(String::from),
+            delegate_fallback_credential,
        )));
    }